Syndicate content

What is the 255 in "iptables -A INPUT -p icmp --icmp-type 255 -j ACCEPT"?

The following command adds a rule to your iptable firewall:

iptables -A INPUT -p icmp --icmp-type 255 -j ACCEPT

As we can see, the rule accepts protocol ICMP and uses ICMP type 255. Only, if you look for a list of valid ICMP types, 255 is not included.

The fact is that this rule actually says: accept any ICMP type. If you changed the ACCEPT with DROP, it would refuse all ICMP packets. In most cases, it is safe to accept ICMP packets since they do not divulge more information than necessary.

Note that in your firewall script, you may use "any" instead of 255. That will make it clearer. However, when you check out your firewall, it will show the rule as follow:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts   bytes target  prot opt in   out  source     destination

2432  326450 ACCEPT  icmp --  eth0 *    icmptype 255

and as you can see, it says 255 and not any. So this is something you want to know about. The meaning of ICMP type 255 is: All ICMP types included. This is an internal interpretation of the ICMP type value and not a type of mask or anything of the sort.


Syndicate content